Nearly Half a BILLION Passwords Stolen in MySpace Breach

In what could prove to be one of the biggest data breaches of all time, Time Inc., has confirmed that Myspace, the social media website that it owns, had been hacked.

Myspace, one of the earliest social media websites and communities is now confirmed as the victim of a 2013 breach by its parent company, Time Inc.

The database of the breached Myspace server was put up for sale by a hacker known as “Peace.”

Motherboard, in communications with Peace and paid hacked-data search engine LeakedSource, revealed that the database contains 427,484,128 passwords. However, only 360 million user emails were acquired from the database, due to some accounts having two passwords.

A summary of the data set put up by LeakedSource reads:

This data set contains 360,213,024 records. Each record may contain an email address, a username, one password and in some cases a second password. Of the 360 million, 111,341,258 accounts had a username attached to it and 68,493,651 had a secondary password.

Time Inc. confirmed the June 2013 breach of Myspace, noting that the compromised data was “limited to a portion of Myspace usernames, passwords and email addresses.”

Related read: 65 Million Email Credentials Stolen from Tumblr Breach

The parent company insisted that the breach did not affect any Time Inc. systems, subscriber information or other media properties.

Some of the top passwords as revealed by LeakedSource are:

Homelesspa, password1, abc123, 123456, myspace1, 123456a, 123456789, a123456, 123abc and qwerty1, among others.

Significantly, the passwords were stored in SHA1, with no salting. The lack of security enforced makes it exponentially easier for malicious hackers to crack and decipher the passwords in plaintext, as evident by those revealed by LeakedSource.

With 427 million stolen passwords, the incident could represent one of the largest breaches of all time. In comparison, LinkedIn’s breach exposed nearly 120 million user credentials, while the Tumblr breach saw 65 million compromised passwords.

To check the security status of your online accounts, LIFARS recommends the hacked-records database Have I Been Pwned?, a useful tool to check on your accounts.

Images credit: Flickr.